According to researchers at IBM X-Force group, cyber criminals are delivering the infamous malware via spam campaigns that began last month. The Ursnif banking Trojan was the most active malware code in the financial sector in 2016 and the trend continued through 2017 to date.

In previous campaigns, the Ursnif banking Trojan targeted users in Japan, North America, Europe and Australia, currently, hackers have improved their evasion technique to target users in Japan.

“Ursnif’s activity is marked by both frequent code modifications and campaign activity in North America, Europe and Australia.” reads the X-Force report. “But one of its most popular targets in 2017 has been Japanese banks, where Ursnif’s operators were very active in late Q3 2017, starting in September. The threat actors continue to spam users in the region regularly as we move into Q4.”

The variants of the malware that targeted Japan also hot user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

The Ursnif banking Trojan was first spotted by experts in 2007, in 2019 its source code was accidentally leaked that lead to a continuous evolution of the threat that was improved over the years with new web-injection techniques and other features.

Back to the present, the latest version of Ursnif, so-called v2, is capable of many malicious activities including:

The malware targets banks in Bulgaria, Poland, Spain and the Czech Republic, North America, Australia and Japan with malspam.

“The delivery method of Ursnif payloads in Japan has been rather consistent throughout the campaigns observed this summer, featuring fake attachments purporting to come from financial services and payment card providers in Japan.” continues the analysis.

The experts also observed a malspam variant delivers an HTML link that points to a .zip file containing a JavaScript. The script launches another PowerShell script that fetches the Ursnif payload from a remote server.

“Recent Ursnif malspam campaigns used a macro evasion technique that launches PowerShell only after the user closes the malicious file. This method helps the malware evade sandbox detection.” continues the experts.

The above technique was implemented to allow the malware evading the sandbox.

Vxers behind the Ursnif have also leveraged the Tor network to hide command-and-control communications.

The situation in Japan has worsened since 2015 when the Shifu Trojan targets banks in the country before spreading across Europe.

Shifu’s activity in Japan faded in 2017, “but it was one of the pivotal organized cybercrime groups that opened the floodgates to other cybercrime actors such as URLZone, Rovnix and a step-up in Ursnif attacks.”